Depot is seeking to appeal the denial of its motion to dismiss the data breach
claims of numerous financial institutions. See Mem. in Supp. of Mot. to Certify
Order at 2-3, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL
No. 14-02583 (N.D. Ga. Jul. 5, 2016) (ECF No. 228-1). In 2014, Home Depot
suffered a massive data breach that may have compromised up to 56 million
credit and debit cards. Home Depot settled the claims brought by the
cardholders, but it still faces the claims brought by the banks and credit
unions that issued the payment cards. These financial institutions are seeking
to recover the costs of reimbursing cardholders for fraudulent charges and
preventing further fraud. Among other mitigation costs, the banks claim that
they had to cancel a.nd reissue cards, investigate fraudulent charges, and
monitor accounts for future fraud.
moving to dismiss the banks' claims, Home Depot argued that the banks lacked
standing to recover their mitigation costs because these costs were
"willingly incurred" to prevent harm that might never happen. Home
Depot argued that, since the threat of the future harm was speculative, the
banks had not suffered actual or concrete injury. Mem. in Supp. of Mot. To Dismiss
at 7-12, In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No.
14-02583 (N.D. Ga. Jul. 1, 2015) (ECF No. 114-1).
court rejected Home Depot's standing argument, finding that the banks had pled
actual injury under Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013).
Specifically, the court noted that the costs incurred by the banks were not
"speculative" or "threatened future injuries," but "actual,
current, monetary damages." Order at 10-11, In re The Home Depot, Inc.,
Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. May 18, 2016) (ECF
No. 211). Further, the court found that the banks had standing to recover any
costs undertaken to avoid future harm because they were "reasonable
mitigation costs due to a substantial risk of harm." Id. (citing Clapper,
at 1150 n.5.)
6, 2016, Home Depot moved for an order certifying an immediate interlocutory
appeal to the Eleventh Circuit. Among other questions of law, Home Depot seeks
to appeal "whether prophylactic measures taken to guard against losses
that may never occur are sufficient to establish Article III standing."
See Mem. in Supp. of Mot. for Interlocutory Appeal at 9-10, In re The Home
Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 14-02583 (N.D. Ga. July
5, 2016) (ECF No. 228-1). In its brief, Home Depot notes that this is a
controlling question of law that, if decided in Home Depot's favor, would not
just materially advance the litigation, but likely end it, since the banks have
already been reimbursed for fraud loss under the card brands' settlement
Depot also argues that substantial grounds for disagreement exist with respect
to the court's finding that the banks had standing. According to Home Depot,
the MDL court was "the first court -- in the Eleventh Circuit or elsewhere
-- to issue an order addressing the standing of financial institutions to
assert claims arising out of a data breach." Id. at 2, 9. Home Depot acknowledges
that numerous courts have addressed standing in consumer litigation, but argues
that, even in the consumer context, this issue remains unsettled. Id. at 9-10.
Depot is successful, a favorable decision from the Eleventh Circuit could have
a significant impact on future data breach cases by financial institutions. The
bulk of the damages in these cases usually stems from the banks' efforts to
issue new cards and mitigate future harm. For example, in the 2014 Target data
breach, an industry association estimated that $174 million of approximately
$200 million in costs to banks was spent replacing compromised credit and debit
cards. Press Release, Consumer Bankers Association, Cost of Target Data Breach
Exceeds $200 Million (Feb. 18, 2014), available at
If the Eleventh Circuit finds that banks lack standing to recover these costs,
it may curtail future litigation and shift some of the costs of a data breach
to the banks.